Blog :: General :: Security Operations

VTech Breach, Hacking Barbies, and Internet of Things Security

Late last month on Black Friday, Hong Kong-based toymaker VTech suffered a data breach.  Sure, we can just dump it into the ever-expanding list of hacked retailers–except this time, the hacker was able to obtain data of over 200,000 children.

VTech specializes in making internet-connected electronics like tablets and smart watches for kids.  Way cooler and more educational than the Lincoln Logs I played with at that age!  But the gadgets involve both parents and children setting up profiles, which sends information to VTech’s servers including birthdays, email addresses, physical addresses, and chat logs, all of which the hacker gained access to.  He was even able to download 190GB of children’s profile photos.

Luckily, the hacker doesn’t intend to use or sell this information.  Motherboard quotes him saying, “Frankly, it makes me sick that I was able to get all this stuff.”  In the meantime, VTech declined to respond when asked why they were storing information like chat logs.

Internet of Things Barbie

Happy child playing with her tablet outdoors on the table during relax time.

Earlier this month, Bluebox Security and independent researcher Andrew Hay managed to hack a Barbie doll.  The doll is part of a new line called “Hello Barbie” that connects to a cloud server, allowing children to talk with it.  The manufacturers ToyTalk and Mattel, to their credit, have been very responsive in working to resolve the vulnerabilities.

These aren’t the first instances of children being affected by lapses in cybersecurity.  Schools and colleges have been hacking targets for a while already.  But maybe we need to ask ourselves, are we ready for the Internet of Things?  And are we willing to let children be in the crossfire?  I already see three-year-olds with their own iPads; I doubt that wearables will be limited to adults.  Parents will be able to easily track their children’s location with smart watches; what will keep a someone from hacking the tracker device and determining that child’s location as well?

What worries me in particular is that not every company has ethical business practices.  Not every company cares about its customers.  Not every company will choose cybersecurity over profit–and those companies will be mass-producing hackable toys.  How many toys like this will be distributed on Christmas, just 10 days from now?

I urge not only parents, but anyone wanting to buy into the Internet of Things to check companies’ cybersecurity practices and ensure that you’re not making yourself an easy target.